Major hospitals and medical centers use integrated electronic medical record (IEMR) systems for scheduling, registration, clinical documentation, ePrescribing, computerized provider order entry, and charge capture. They improve communications, reduce medical errors, control costs, and help physicians deliver quality care by relieving them of inefficient paperwork and processes.
IEMR systems also provide connections to external entities, such as affiliates, referring physicians, and peer institutions. Even facilities within a healthcare network may not enjoy access to the same IEMR system, as access to any external entity is severely restricted by HIPAA regulations. As such, patient consent must be sought before any access is granted. This consent involves providing identification like a driver’s license with photo and their signature on a form. Only with this consent is the external entity given access. Periodic audits are required to ensure that all access records include the requisite consent forms. But these processes take time, and often mistakes are made when it comes to record keeping.
Introducing Healthcare Biometrics
To address these problems and improve patient privacy, some institutions are experimenting with biometrics to obtain consent from patients when they seek care via external physicians. By granting consent via biometric authentication and authorization, the patient easily provides both identification and non-repudiation proof of their consent at the same time. Biometric technologies that are difficult to spoof, such as iris and fingerprints, can uniquely identify patients and physicians within an IEMR system. Biometric authentication is easily incorporated within most IEMR systems and can replace password-based identity and access management as well as token-based two-factor authentication.
FREE WHITEPAPER: 4 FINGERS ARE BETTER THAN ONE
Currently, IEMR systems lack fine-grain control of access to their records, with external entities usually given copies of the entire record. Any updates must then be reported back to the institution, where the patient’s primary physician resides. While peer institutions can share records if they both use the same IEMR, any changes via third channels have to be reported back and updated at the primary institution.
Future IEMR systems will improve on inter-institutional record sharing but will likely resort to access via API management systems. The primary institution will provide an API for access to a patient’s record, but only portions of the record, with specific read, write, update, and delete permissions. Patient and physician consent will be needed for access to specific elements of the record in real-time or via prior approval. Unlike single-sign-on (SSO) protocols that allow all-or-nothing access, API management systems use protocols like OAuth 2.0 for such fine-grain authentication and authorization. Tokens can be provided for specific elements, with permissions granted for specified periods of time. Biometric authentication and authorization works well in such complex security environments, simplifying access but maintaining complex user permissions across the system.
Reinventing the Wheel for Patient Privacy
Some institutions are also beginning to experiment with sovereign control by the patient themselves for their EHR record via blockchain technologies. In this case, patients own their own records outside any institution via a secure hosting service. For example, an encrypted patient record could be stored on a blockchain using digital identifiers. Like a URL, the identifier points to a decentralized document object that stores the actual encrypted record.
Sovereign control of IEMR data by the patient allows for portability and interoperability, but potential loss and compromise remain problematic. Any institution that needs access would have to obtain consent from the patient directly. Biometric authentication provides the most convenience in this situation because lost passwords and tokens cannot be replaced by any central authority.
In any case, future IEMR APIs and sovereign control systems must put the patient in control of their records and empower them to grant access via explicit consent. Healthcare biometrics offer a simple and convenient solution to authentication and authorization without the complexities and costs of password- and token-based solutions.
